Creating an IAM User and a Group

Let's create an IAM user and group so we can login without our root account.

We'll cover the following

A new user#

Another thing that we will do to secure our account is to create an individual IAM user account that isn’t the root account. Some AWS tasks require AWS account root user credentials and some of the things that require root. For example, changing support plans, closing accounts, billing changes using the billing and cost management console, etc.

There are two types of access types for an AWS account. Programmatic access is where we create an access key I.D. and a secret access key. These are used for the AWS API, AWS CLI, the SDK, and other development tools. The other type of access is management console access, and this is where we have a username and password to log in and use the management console. We don’t need to have both of these. We can have one or the other, or both together. For the most part, we’re just going to be logging on as an individual IAM user.

Created with Fabric.js 3.6.6
We start by opening up the IAM console.

1 of 23

Created with Fabric.js 3.6.6
We can click the down arrow and choose “Manage users” or we can just go up to “Users”. It's the same thing.

2 of 23

Created with Fabric.js 3.6.6
What we want to do is add a user.

3 of 23

Created with Fabric.js 3.6.6
Set the account name. We have options for two access types. We are going to select both. We can then choose to auto generate a password or set a custom password. In this case we are going to set our own password. We are also going to unselect the “Require password reset” option because we don't want to have to reset it. Then select “Next: Permissions”.

4 of 23

Created with Fabric.js 3.6.6
We have the option to create a group and what we want to do is create a group.

5 of 23

Created with Fabric.js 3.6.6
We want to give that group administrator access. We are going to call the group AWS-Admins and so this will create a group called AWS-Admins and it will add the user that we're creating to that group.

6 of 23

Created with Fabric.js 3.6.6
If we select the administrator access policy, it is going to give full administrative privileges to our user through the group.

7 of 23

Created with Fabric.js 3.6.6
If you go down and look at the JSON code, it's the type of code that you write these policy statements in. There's always a “Version”, then there's a “Statement”, and then you can see the “Effect” is to “Allow” the “Action” and the * means a wild card. The resource is a star also which means any resource. So this allows any action on any resource. Now that we have our policy selected in our group name instead we can just choose ”Create group”.

8 of 23

Created with Fabric.js 3.6.6
We're creating our group. Hit “Next: Tags” to proceed.

9 of 23

Created with Fabric.js 3.6.6
We can choose to assign tags which are key value pairs and you can use them for assigning metadata to resources in AWS. We are going to leave it blank for now and then we can go to “Review”.

10 of 23

Created with Fabric.js 3.6.6
We can see all the details for our new user. We're just going to choose “Create user”.

11 of 23

Created with Fabric.js 3.6.6
The user has been created. You'll see that you get an access key ID and a secret access key. These are very security sensitive. Anybody who has these keys will be able to do whatever you have privileges to do in your account.

12 of 23

Created with Fabric.js 3.6.6
The other thing you need to know is you can only see this once. This secret access key is only generated at creation time so it's only visible at creation time. Take a copy of this and keep it somewhere very secure and make sure no one gets access to it. Once this is done, choose “Close”.

13 of 23

Created with Fabric.js 3.6.6
Let's just have a look at what we've created in the IAM console. We've got a group and the group is called AWS-Admins.

14 of 23

Created with Fabric.js 3.6.6
The group has the following permissions. It has a policy for administrator access. We can do anything on any resource.

15 of 23

Created with Fabric.js 3.6.6
We then created a user called Neal. Click on the user's name.

16 of 23

Created with Fabric.js 3.6.6
That user is a member of the group called AWS-Admins.

17 of 23

Created with Fabric.js 3.6.6
When you see permissions, you can see that the user has these permissions attached through the group.

18 of 23

Created with Fabric.js 3.6.6
You could then go over to Access Advisor. It shows you the service permissions that are granted to this user. So in this case it's a very extensive list obviously because of the group and the policy that we've assigned to this user. That's all we need to do now. We are going to sign out and we're going to sign back into the console.

19 of 23

Created with Fabric.js 3.6.6
Now in this case we're going to choose “Sign into a different account”

20 of 23

Created with Fabric.js 3.6.6
We're going to enter the account alias which we set earlier and choose next.

21 of 23

Created with Fabric.js 3.6.6
We're going to enter the account alias which we set earlier and choose next.

22 of 23

Created with Fabric.js 3.6.6
We've now logged in with our new user account and if we go to Identity and Access Management we can now see that we've created an individual IAM user and use the group to assign permissions.

23 of 23

Hit the RUN button below to open up a browser window right here. This will make following along easier.

/
Readme.txt

Activate MFA on the Root Account

Configuring the Password Policy